-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-1888 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1888 2004-09-30 - --------------------------------------------------------------------- Name : mod_ssl Versions : 7.3: 2.8.12-6.legacy Summary : Cryptography support for the Apache Web server. Description : The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. - --------------------------------------------------------------------- Update Information: A stack buffer overflow was discovered in mod_ssl which can be triggered if using the FakeBasicAuth option. If mod_ssl is sent a client certificate with a subject DN field longer than 6000 characters, a stack overflow can occur if FakeBasicAuth has been enabled. In order to exploit this issue the carefully crafted malicious certificate would have to be signed by a Certificate Authority which mod_ssl is configured to trust. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0488 to this issue. A format string issue was discovered in mod_ssl for Apache 1.3 which can be triggered if mod_ssl is configured to allow a client to proxy to remote SSL sites. In order to exploit this issue, a user who is authorized to use Apache as a proxy would have to attempt to connect to a carefully crafted hostname via SSL. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0700 to this issue. - --------------------------------------------------------------------- 7.3 changelog: * Wed Sep 29 2004 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 2.8.12-6.legacy - - Added apache and openssl-devel BuildPrereq * Thu Jul 22 2004 Dominic Hargreaves <dom@xxxxxxxx> 2.8.12-5.legacy - - Fix format string vulnerability in the ssl_log function in ssl_engine_log.c [CAN-2004-0700] - - Fix shmcb corruption for small cache sizes * Wed Jun 02 2004 Michal Jaegermann <michal@xxxxxxxxxxxx> 2.8.12-4.legacy - - security fix for CAN-2004-0488; rediffed from a patch for 2.8.12-8.1.91mdk by Vincent Danen <vdanen@xxxxxxxxxxxxxxxx> - --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ (sha1sums) 211714e3a8faab1152e76471f1085f3d8ef30400 7.3/updates-testing/i386/mod_ssl-2.8.12-6.legacy.i386.rpm 027bf3500924d4bb58bd8bb0ed452420a0e134bc 7.3/updates-testing/SRPMS/mod_ssl-2.8.12-6.legacy.src.rpm - --------------------------------------------------------------------- Please test and comment in bugzilla. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBW99pLMAs/0C4zNoRAksfAJ4zMWeRLPTHmELaIwiAfrHMTHKt5gCfZZ2W uMv5AAvE1fGKGs0TM3u8kBY= =0lKU -----END PGP SIGNATURE----- -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
